Cloudflare and Privacy Act compliance

Cloudflare is a security, performance, and reliability company headquartered in the United States with global operations including an office in Australia that delivers a broad range of network services to businesses of all sizes and in all geographies. We help make our customers’ websites and Internet applications more secure, enhance the performance of their business-critical applications, and eliminate the cost and complexity of managing individual network hardware. Cloudflare's Global Network – which is powered by more than 200 Edge servers around the world, as described here – serves as the foundation on which we can rapidly develop and deploy our products for our customers.

Cloudflare does not have access to or have any control of the data its customers choose to transmit, route, switch, and cache through our Global Network. In a limited number of cases, Cloudflare products can be used for storage of content. Regardless of what Cloudflare services they use, however, our customers are fully responsible for their own compliance with applicable law and their independent contractual arrangements in connection with the data they choose to transmit, route, switch, cache, or store through the Cloudflare Global Network.

The types of personal data Cloudflare processes on behalf of a customer depend on which Cloudflare services are implemented. The vast majority of data that transits Cloudflare’s network stays on Cloudflare’s Edge servers, while metadata about this activity is processed on behalf of our customers in our main data centers in the United States and Europe.

Cloudflare maintains log data about events on our network. Some of this log data will include information about visitors to and/or authorized users of a customer’s domains, networks, websites, application programming interfaces (“APIs”), or applications, including the Cloudflare product Cloudflare Zero Trust as may be applicable. This metadata contains extremely limited personal data, most often in the form of IP addresses. We process this type of information on behalf of our customers in our main data centers in the U.S. and Europe for a limited period of time.

Cloudflare views security as a critical element of ensuring data privacy. Since Cloudflare launched in 2010, we’ve released a number of state-of-the-art, privacy-enhancing technologies, typically ahead of the rest of the industry. Among other things, these tools allow our customers to easily encrypt the content of communications through universal SSL, encrypt the metadata in communications using DNS-over-HTTPS or DNS-over-TLS and encrypted SNI, and control where their SSL keys are held or where their traffic is inspected.

Cloudflare maintains a security program that exceeds industry standards. Our security program includes maintaining formal security policies and procedures, establishing proper logical and physical access controls, and implementing technical safeguards in corporate and production environments, including establishing secure configurations, secure transmission and connections, logging, monitoring, and having adequate encryption technologies for personal data.

We currently maintain the following validations: ISO 27001, ISO 27701, ISO 27018, SOC 2 Type II, and PCI DSS Level 1 compliance. You can learn more about our certifications and reports here.

To view the security measures Cloudflare offers for the protection of personal data, including personal data transferred from Australia to the U.S., please see Annex 2 of our standard DPA.

Under the Privacy Act, organizations seeking to disclose personal information to a recipient outside Australia must ensure that the recipient is in compliance with the APPs. Cloudflare’s Data Processing Addendum (DPA) – which covers our obligations for processing personal data on behalf of our customers and is incorporated by reference into our Enterprise Service Agreement and our Self-Serve Subscription Agreement – is considered as a reasonable step by the Office of the Australian Information Commissioner (“OAIC”) to legitimize cross-border transfers, according to 13 APPs.

In accordance with the guidelines issued by the OAIC, our DPA respects the APPs and describes:

• The categories of transferred data;

• Handling mechanisms regarding complaints;

• Data breach response plan;

• Adequate technical and operational safeguards.

Cloudflare issued our very first transparency report in 2014 for legal process received in 2013, and we pledged then that we would require legal process before providing any government entity with any customer data outside of an emergency and that we would provide our customers with notice of any legal process requesting their customer or billing information before disclosure of that information unless legally prohibited. We publicly stated that we have never turned over encryption keys to any government, provided any government a feed of content transiting our network, or deployed law enforcement equipment on our network. We also committed that if we were asked to do any of those things, we would “exhaust all legal remedies in order to protect our customers from what we believe are illegal or unconstitutional requests.” Since those days early in Cloudflare’s history, we have restated those commitments twice a year, and even expanded on them, in our Transparency Reports.

We have also demonstrated our belief in transparency and our commitment to protecting our customers by filing litigation when necessary. In 2013, with the help of the Electronic Frontier Foundation, we legally challenged an administratively issued U.S. national security letter (“NSL”) to protect our customer’s rights because of provisions that allowed the government to restrict us from disclosing information about the NSL to the affected customer. Cloudflare provided no customer information in response to that request, but the non-disclosure provisions remained in effect until a court lifted the restrictions in 2016.

We have frequently stated our position that any government requests for personal data that conflict with the privacy laws of a person’s country of residence should be legally challenged. (See, for example, our Transparency Report and our white paper, Cloudflare’s policies around data privacy and law enforcement requests, on government requests for data.) Consistent with existing U.S. case law and statutory frameworks, Cloudflare may ask U.S. courts to quash a request from U.S. authorities for personal data based on such a conflict of law.

We have updated our standard data processing addendum (“DPA”) for our customers to now incorporate additionally the above-described supplementary measures and safeguards as contractual commitments. You can view these contractual commitments in section 7 of our DPA.

Cloudflare has developed the Data Localization Suite, which helps businesses get the performance and security benefits of Cloudflare’s global network, while making it easy to set rules and controls at the edge about where their data is stored and protected.

The Data Localization Suite bundles some existing offerings with some new features:

• Regional Services. Cloudflare has data centers in over 270 cities across 100+ countries. Regional Services together with our Geo Key Manager solution allows customers to pick the data center locations where TLS keys are stored and TLS termination takes place. Traffic is ingested globally, applying L3/L4 DDoS mitigations, while security, performance, and reliability functions (such as, WAF, CDN, DDoS mitigation, etc.) are serviced at designated Cloudflare data centers only.

• Keyless SSL. Keyless SSL allows a customer to store and manage their own SSL private keys for use with Cloudflare. Customers can use a variety of systems for their keystore, including hardware security modules (“HSMs”), virtual servers, and hardware running Unix/Linux and Windows that is housed in environments under customers control.

• Geo Key Manager. Cloudflare has a truly international customer base and we’ve learned that customers around the world have different regulatory and statutory requirements, and different risk profiles, concerning the placement of their private keys. With that philosophy in mind, we set out to design a very flexible system for deciding where keys can be kept. Geo Key Manager lets customers limit the exposure of their private keys to certain locations. It’s similar to Keyless SSL, but instead of having to run a key server inside your infrastructure, Cloudflare hosts key servers in the locations of your choosing.